Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Don’t Panic Over Black Friday Security Despite Rash of Retail Breaches

    By
    Sean Michael Kerner
    -
    November 26, 2014
    Share
    Facebook
    Twitter
    Linkedin
      retail data breaches

      On Black Friday in 2013, millions of consumers shopped at retailers that had been breached by point-of-sale (POS) malware. A year later, has anything changed?

      Target admitted in December 2013 that it was breached between Nov. 27 and Dec. 15 of that year in an incident in which 70 million customers were impacted. The breach also cost Target $148 million in expenses and took the jobs of Target’s CIO and CEO.

      As it turns out, the Target breach was only the leading edge of an avalanche of retail breaches that were disclosed in 2014. Grocery chain SuperValu, UPS, Michaels, Dairy Queen, Goodwill, Staples and Home Depot are among the retailers that admitted being breached during the year.

      Surprisingly, while the Target breach was reported last December and was the subject of intense scrutiny and discussion in the first half of this year, lessons learned from that incident apparently were not enough to stem the tide.

      Home Depot, for example, reported its breach in September, with the actual attack lasting from April to September. That means that Home Depot’s systems were breached long after Target’s disclosure and long after the retailer should have been able to discern lessons and best practices from that incident.

      With Home Depot, the retailer has admitted that a third-party vendor’s username and password were compromised. That credential compromise was then leveraged by the attacker to gain access to the Home Depot network. Once inside, a privilege escalation flaw was exploited, giving the attacker broader access. With that access, some form of POS malware was deployed, which is how the customer information was stolen.

      The problem with the Home Depot breach scenario is that it is likely the same as what happened at Target. It is also likely the same scenario that has played out at other retailers as well, including some that consumers will shop at on Black Friday.

      While this has been a year of disclosures and discussion about retail breaches, the simple truth is this: Little has changed. POS malware is still widely deployed, with the Backoff POS malware alone infecting a thousand retailers, according to the U.S. Secret Service.

      Going a step further, privilege escalation vulnerabilities, which in my view are at the root of many retail breaches, remain difficult to deal with. Case in point, it was just last week that Microsoft warned that a complete fix of a potentially compromised domain requires the organization to completely rebuild its domain. Given the proximity to Black Friday and the complexity of rebuilding domains, I suspect that not all retailers that run Windows have actually heeded Microsoft’s advice.

      While there are likely still privilege escalation risks present in some retailer networks and there are also likely still many undetected POS infections, not all is lost.

      Don’t Panic

      While the risk of retailer breaches on Black Friday is still present, there is much reason for optimism too.

      Thanks to the Target breach and those like it, there has been heightened awareness among law enforcement and credit card issuers. While as yet unknown breaches and POS malware might well be lurking on Black Friday retailer systems, the “good guys” are watching for bad things.

      Don’t Panic Over Black Friday Security Despite Rash of Retail Breaches

      Just because POS malware is present and an attacker has access to a network doesn’t mean that consumers will lose any money. Ongoing monitoring of networks for suspicious activities can potentially detect a post-breach action, where an attacker attempts to take data out of a network.

      Also, there is little incentive for an attacker to steal a single credit card; rather, the only way an attacker can make money is by stealing many cards. When the attackers (known sometimes as “carders”) try to sell the credit cards in hacker forums, law enforcement is often watching.

      Additionally, though there have been many retail breaches over the course of the last year, consumers are typically not liable for any of the losses or fraud. That is to say, even if a consumer’s credit card is part of a breach, there is no financial loss for that individual.

      That said, there are some basic consumer best practices that should be considered this Black Friday.

      1. Keep all receipts: In the event there is a dispute, having a receipt can be helpful.

      2. Check all statements: While credit card issuers are vigilant about looking for fraud, consumers also have a responsibility to make sure charges are accurate.

      3. Use multiple cards: In the event there is fraud, one of the actions a credit card issuer may take is to block a card. If you have multiple cards and one is compromised, having another credit card will enable you to shop at another (hopefully uncompromised) retailer.

      The bottom line is that risk is present and always has been in retail. In the pre-digital processing age, carbon receipts were a risk that could have enabled fraud. Even just ordering a pizza on the phone and giving your credit card number could be a path to fraud.

      Vigilance has always been key to consumer safety with credit cards, and vigilance remains the watchword for Black Friday 2014 as well.

      Simply stated: Don’t panic.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Avatar
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×